cancel
Showing results for 
Search instead for 
Did you mean: 

XIQ OnPrem / IQVA New Release

XIQ OnPrem / IQVA New Release

daniel1
New Contributor III

Hi,

can anyone from Extreme tell me, when you plan to release a new feature version of XIQ OnPrem?

This is getting ridiculous, no big feature update for one and half year, we still have to use 21.1.x, so January 2021 version according to your scheme.

1 ACCEPTED SOLUTION

BillL
New Contributor II

Hello,

Allow me to simplify.  As the bulletin says, "In certain configurations, an attacker could execute arbitrary commands with the privileges of the script."  In IQVA, yes, c_rehash is present. However, IQVA does not use it in any process, the configurations required for exploit are non-existent, and access to the OS in any capacity to expose it is not exposed.   Several other CVE's are being tackled in the January release, specifically CVE-2021-4034.   And no, the January release is not a joke, and is currently tracking as follows:

  • Dev Start:  (after 22r7 in cloud). on or about 11/15
  • Dev Complete:  12/15 (4w development time)
  • QA Test: 3w beginning in early January
  • GA Available:  end of January

 

Bill Lundgren, Distinguished Engineer
Portfolio Architect - Architecture, Security and Compliance
Extreme Networks

View solution in original post

6 REPLIES 6

daniel1
New Contributor III

It's unfortunate to hear that Extreme presents their OnPrem customers a "Go to Cloud or die" choice.

BillL
New Contributor II

While IQVA has been announced EOS, we are planning on a release of IQVA in the Dec/January timeframe.  It will feature several bug fixes, updated features, support for DTLS 1.2, and new AP support for the new "-1" SKU's (no bluetooth). 

Bill Lundgren, Distinguished Engineer
Portfolio Architect - Architecture, Security and Compliance
Extreme Networks

daniel1
New Contributor III

Hi @BillL ,
are you guys serious with this? Security Advisory: SA-2022-010 – OpenSSL (CVE-2022-1292) | Extreme Portal (force.com)
"IQVA – Will not be fixed. Please upgrade to XIQ."

I'm guessing that your "Dec/Jan release" was just a joke?

BillL
New Contributor II

Hello,

Allow me to simplify.  As the bulletin says, "In certain configurations, an attacker could execute arbitrary commands with the privileges of the script."  In IQVA, yes, c_rehash is present. However, IQVA does not use it in any process, the configurations required for exploit are non-existent, and access to the OS in any capacity to expose it is not exposed.   Several other CVE's are being tackled in the January release, specifically CVE-2021-4034.   And no, the January release is not a joke, and is currently tracking as follows:

  • Dev Start:  (after 22r7 in cloud). on or about 11/15
  • Dev Complete:  12/15 (4w development time)
  • QA Test: 3w beginning in early January
  • GA Available:  end of January

 

Bill Lundgren, Distinguished Engineer
Portfolio Architect - Architecture, Security and Compliance
Extreme Networks
GTM-P2G8KFN